/********************************************************************************/
/*										*/
/*			Interfaces to the Crypto Engine				*/
/*			     Written by Ken Goldman				*/
/*		       IBM Thomas J. Watson Research Center			*/
/*            $Id: CryptUtil.c 1658 2021-01-22 23:14:01Z kgoldman $		*/
/*										*/
/*  Licenses and Notices							*/
/*										*/
/*  1. Copyright Licenses:							*/
/*										*/
/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
/*    derivative works, distribute, display and perform the Source Code and	*/
/*    derivative works thereof, and to grant others the rights granted herein.	*/
/*										*/
/*  - The TCG grants to the user of the other parts of the specification 	*/
/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
/*    display, and perform the specification solely for the purpose of 		*/
/*    developing products based on such documents.				*/
/*										*/
/*  2. Source Code Distribution Conditions:					*/
/*										*/
/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
/*    this list of conditions and the following disclaimers.			*/
/*										*/
/*  - Redistributions in binary form must reproduce the above copyright 	*/
/*    licenses, this list of conditions	and the following disclaimers in the 	*/
/*    documentation and/or other materials provided with the distribution.	*/
/*										*/
/*  3. Disclaimers:								*/
/*										*/
/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
/*  information on specification licensing rights available through TCG 	*/
/*  membership agreements.							*/
/*										*/
/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
/*										*/
/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
/*    liability, including liability for infringement of any proprietary 	*/
/*    rights, relating to use of information in this specification and to the	*/
/*    implementation of this specification, and TCG disclaims all liability for	*/
/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
/*    arising in any way out of use or reliance upon this specification or any 	*/
/*    information herein.							*/
/*										*/
/*  (c) Copyright IBM Corp. and others, 2016 - 2021				*/
/*										*/
/********************************************************************************/

/* 10.2.6 CryptUtil.c */
/* 10.2.6.1 Introduction */
/* This module contains the interfaces to the CryptoEngine() and provides miscellaneous
   cryptographic functions in support of the TPM. */
/* 10.2.6.2 Includes */
#include "Tpm.h"
/* 10.2.6.3 Hash/HMAC Functions */
/* 10.2.6.3.1 CryptHmacSign() */
/* Sign a digest using an HMAC key. This an HMAC of a digest, not an HMAC of a message. */
/* Error Returns Meaning */
/* TPM_RC_HASH not a valid hash */
static TPM_RC
CryptHmacSign(
	      TPMT_SIGNATURE      *signature,     // OUT: signature
	      OBJECT              *signKey,       // IN: HMAC key sign the hash
	      TPM2B_DIGEST        *hashData       // IN: hash to be signed
	      )
{
    HMAC_STATE       hmacState;
    UINT32           digestSize;
    digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
				  &signKey->sensitive.sensitive.bits.b);
    CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
    CryptHmacEnd(&hmacState, digestSize,
		 (BYTE *)&signature->signature.hmac.digest);
    return TPM_RC_SUCCESS;
}
/* 10.2.6.3.2 CryptHMACVerifySignature() */
/* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare
   signature with the signature algorithm (TPM_ALG_HMAC) and the hash algorithm to use. This
   function then builds a signature of that type. */
/* Error Returns Meaning */
/* TPM_RC_SCHEME not the proper scheme for this key type */
/* TPM_RC_SIGNATURE if invalid input or signature is not genuine */
static TPM_RC
CryptHMACVerifySignature(
			 OBJECT              *signKey,       // IN: HMAC key signed the hash
			 TPM2B_DIGEST        *hashData,      // IN: digest being verified
			 TPMT_SIGNATURE      *signature      // IN: signature to be verified
			 )
{
    TPMT_SIGNATURE           test;
    TPMT_KEYEDHASH_SCHEME   *keyScheme =
	&signKey->publicArea.parameters.keyedHashDetail.scheme;
    //
    if((signature->sigAlg != TPM_ALG_HMAC)
       || (signature->signature.hmac.hashAlg == TPM_ALG_NULL))
	return TPM_RC_SCHEME;
    // This check is not really needed for verification purposes. However, it does
    // prevent someone from trying to validate a signature using a weaker hash
    // algorithm than otherwise allowed by the key. That is, a key with a scheme
    // other than TMP_ALG_NULL can only be used to validate signatures that have
    // a matching scheme.
    if((keyScheme->scheme != TPM_ALG_NULL)
       && ((keyScheme->scheme != signature->sigAlg)
	   || (keyScheme->details.hmac.hashAlg != signature->signature.any.hashAlg)))
	return TPM_RC_SIGNATURE;
    test.sigAlg = signature->sigAlg;
    test.signature.hmac.hashAlg = signature->signature.hmac.hashAlg;
    CryptHmacSign(&test, signKey, hashData);
    // Compare digest
    if(!MemoryEqual(&test.signature.hmac.digest,
		    &signature->signature.hmac.digest,
		    CryptHashGetDigestSize(signature->signature.any.hashAlg)))
	return TPM_RC_SIGNATURE;
    return TPM_RC_SUCCESS;
}
/* 10.2.6.3.3 CryptGenerateKeyedHash() */
/* This function creates a keyedHash object. */
/* Error Returns Meaning */
/* TPM_RC_NO_RESULT cannot get values from random number generator */
/* TPM_RC_SIZE sensitive data size is larger than allowed for the scheme */
static TPM_RC
CryptGenerateKeyedHash(
		       TPMT_PUBLIC             *publicArea,        // IN/OUT: the public area template
		       //     for the new key.
		       TPMT_SENSITIVE          *sensitive,         // OUT: sensitive area
		       TPMS_SENSITIVE_CREATE   *sensitiveCreate,   // IN: sensitive creation data
		       RAND_STATE              *rand               // IN: "entropy" source
		       )
{
    TPMT_KEYEDHASH_SCHEME   *scheme;
    TPM_ALG_ID               hashAlg;
    UINT16                   digestSize;
    
    scheme = &publicArea->parameters.keyedHashDetail.scheme;
    
    if(publicArea->type != TPM_ALG_KEYEDHASH)
	return TPM_RC_FAILURE;
    // Pick the limiting hash algorithm
    if(scheme->scheme == TPM_ALG_NULL)
	hashAlg = publicArea->nameAlg;
    else if(scheme->scheme == TPM_ALG_XOR)
	hashAlg = scheme->details.xorr.hashAlg;
    else
	hashAlg = scheme->details.hmac.hashAlg;
    /* hashBlockSize = CryptHashGetBlockSize(hashAlg); */
    digestSize = CryptHashGetDigestSize(hashAlg);
    
    // if this is a signing or a decryption key, then the limit
    // for the data size is the block size of the hash. This limit
    // is set because larger values have lower entropy because of the
    // HMAC function. The lower limit is 1/2 the size of the digest
    //
    //If the user provided the key, check that it is a proper size
    if(sensitiveCreate->data.t.size != 0)
	{
	    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, decrypt)
	       || IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, sign))
		{
		    if(sensitiveCreate->data.t.size > CryptHashGetBlockSize(hashAlg))
			return TPM_RC_SIZE;
#if 0   // May make this a FIPS-mode requirement
		    if(sensitiveCreate->data.t.size < (digestSize / 2))
			return TPM_RC_SIZE;
#endif
		}
	    // If this is a data blob, then anything that will get past the unmarshaling
	    // is OK
	    MemoryCopy2B(&sensitive->sensitive.bits.b, &sensitiveCreate->data.b,
			 sizeof(sensitive->sensitive.bits.t.buffer));
	}
    else
	{
	    // The TPM is going to generate the data so set the size to be the
	    // size of the digest of the algorithm
	    sensitive->sensitive.bits.t.size =
		DRBG_Generate(rand, sensitive->sensitive.bits.t.buffer, digestSize);
	    if(sensitive->sensitive.bits.t.size == 0)
		return (g_inFailureMode) ? TPM_RC_FAILURE : TPM_RC_NO_RESULT;
	}
    return TPM_RC_SUCCESS;
}
/* 10.2.6.3.4 CryptIsSchemeAnonymous() */
/* This function is used to test a scheme to see if it is an anonymous scheme The only anonymous
   scheme is ECDAA. ECDAA can be used to do things like U-Prove. */
BOOL
CryptIsSchemeAnonymous(
		       TPM_ALG_ID       scheme         // IN: the scheme algorithm to test
		       )
{
    return scheme == TPM_ALG_ECDAA;
}
/* 10.2.6.4 Symmetric Functions */
/* 10.2.6.4.1 ParmDecryptSym() */
/* This function performs parameter decryption using symmetric block cipher. */
void
ParmDecryptSym(
	       TPM_ALG_ID       symAlg,        // IN: the symmetric algorithm
	       TPM_ALG_ID       hash,          // IN: hash algorithm for KDFa
	       UINT16           keySizeInBits, // IN: the key size in bits
	       TPM2B           *key,           // IN: KDF HMAC key
	       TPM2B           *nonceCaller,   // IN: nonce caller
	       TPM2B           *nonceTpm,      // IN: nonce TPM
	       UINT32           dataSize,      // IN: size of parameter buffer
	       BYTE            *data           // OUT: buffer to be decrypted
	       )
{
    // KDF output buffer
    // It contains parameters for the CFB encryption
    // From MSB to LSB, they are the key and iv
    BYTE             symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];
    // Symmetric key size in byte
    UINT16           keySize = (keySizeInBits + 7) / 8;
    TPM2B_IV         iv;
    iv.t.size = CryptGetSymmetricBlockSize(symAlg, keySizeInBits);
    // If there is decryption to do...
    if(iv.t.size > 0)
	{
	    // Generate key and iv
	    CryptKDFa(hash, key, CFB_KEY, nonceCaller, nonceTpm,
		      keySizeInBits + (iv.t.size * 8), symParmString, NULL, FALSE);
	    MemoryCopy(iv.t.buffer, &symParmString[keySize], iv.t.size);
	    CryptSymmetricDecrypt(data, symAlg, keySizeInBits, symParmString,
				  &iv, TPM_ALG_CFB, dataSize, data);
	}
    return;
}
/* 10.2.6.4.2 ParmEncryptSym() */
/* This function performs parameter encryption using symmetric block cipher. */
void
ParmEncryptSym(
	       TPM_ALG_ID       symAlg,        // IN: symmetric algorithm
	       TPM_ALG_ID       hash,          // IN: hash algorithm for KDFa
	       UINT16           keySizeInBits, // IN: AES symmetric key size in bits
	       TPM2B           *key,           // IN: KDF HMAC key
	       TPM2B           *nonceCaller,   // IN: nonce caller
	       TPM2B           *nonceTpm,      // IN: nonce TPM
	       UINT32           dataSize,      // IN: size of parameter buffer
	       BYTE            *data           // OUT: buffer to be encrypted
	       )
{
    // KDF output buffer
    // It contains parameters for the CFB encryption
    BYTE             symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];
    // Symmetric key size in bytes
    UINT16           keySize = (keySizeInBits + 7) / 8;
    TPM2B_IV         iv;
    iv.t.size = CryptGetSymmetricBlockSize(symAlg, keySizeInBits);
    // See if there is any encryption to do
    if(iv.t.size > 0)
	{
	    // Generate key and iv
	    CryptKDFa(hash, key, CFB_KEY, nonceTpm, nonceCaller,
		      keySizeInBits + (iv.t.size * 8), symParmString, NULL, FALSE);
	    MemoryCopy(iv.t.buffer, &symParmString[keySize], iv.t.size);
	    CryptSymmetricEncrypt(data, symAlg, keySizeInBits, symParmString, &iv,
				  TPM_ALG_CFB, dataSize, data);
	}
    return;
}
/* 10.2.6.4.3 CryptGenerateKeySymmetric() */
/* This function generates a symmetric cipher key. The derivation process is determined by the type
   of the provided rand */
/* Error Returns Meaning */
/* TPM_RC_NO_RESULT cannot get a random value */
/* TPM_RC_KEY_SIZE key size in the public area does not match the size in the sensitive creation
   area */
/* TPM_RC_KEY provided key value is not allowed */
static TPM_RC
CryptGenerateKeySymmetric(
			  TPMT_PUBLIC             *publicArea,        // IN/OUT: The public area template
			  //     for the new key.
			  TPMT_SENSITIVE          *sensitive,         // OUT: sensitive area
			  TPMS_SENSITIVE_CREATE   *sensitiveCreate,   // IN: sensitive creation data
			  RAND_STATE              *rand               // IN: the "entropy" source for
			  )
{
    UINT16           keyBits = publicArea->parameters.symDetail.sym.keyBits.sym;
    TPM_RC           result;
    //
    // only do multiples of RADIX_BITS
    if((keyBits % RADIX_BITS) != 0)
	return TPM_RC_KEY_SIZE;
    // If this is not a new key, then the provided key data must be the right size
    if(sensitiveCreate->data.t.size != 0)
	{
	    result = CryptSymKeyValidate(&publicArea->parameters.symDetail.sym,
					 (TPM2B_SYM_KEY *)&sensitiveCreate->data);
	    if(result == TPM_RC_SUCCESS)
		MemoryCopy2B(&sensitive->sensitive.sym.b, &sensitiveCreate->data.b,
			     sizeof(sensitive->sensitive.sym.t.buffer));
	}
#if ALG_TDES
    else if(publicArea->parameters.symDetail.sym.algorithm == TPM_ALG_TDES)
	{
	    sensitive->sensitive.sym.t.size = keyBits / 8;
	    result = CryptGenerateKeyDes(publicArea, sensitive, rand);
	}
#endif
    else
    {
	sensitive->sensitive.sym.t.size =
	    DRBG_Generate(rand, sensitive->sensitive.sym.t.buffer,
			  BITS_TO_BYTES(keyBits));
	if(g_inFailureMode)
	    result = TPM_RC_FAILURE;
	else if(sensitive->sensitive.sym.t.size == 0)
	    result = TPM_RC_NO_RESULT;
	else
	    result = TPM_RC_SUCCESS;
    }
    return result;
}
/* 10.2.6.4.4 CryptXORObfuscation() */
/* This function implements XOR obfuscation. It should not be called if the hash algorithm is not
   implemented. The only return value from this function is TPM_RC_SUCCESS. */
void
CryptXORObfuscation(
		    TPM_ALG_ID       hash,          // IN: hash algorithm for KDF
		    TPM2B           *key,           // IN: KDF key
		    TPM2B           *contextU,      // IN: contextU
		    TPM2B           *contextV,      // IN: contextV
		    UINT32           dataSize,      // IN: size of data buffer
		    BYTE            *data           // IN/OUT: data to be XORed in place
		    )
{
    BYTE             mask[MAX_DIGEST_SIZE]; // Allocate a digest sized buffer
    BYTE            *pm;
    UINT32           i;
    UINT32           counter = 0;
    UINT16           hLen = CryptHashGetDigestSize(hash);
    UINT32           requestSize = dataSize * 8;
    INT32            remainBytes = (INT32)dataSize;
    pAssert((key != NULL) && (data != NULL) && (hLen != 0));
    // Call KDFa to generate XOR mask
    for(; remainBytes > 0; remainBytes -= hLen)
	{
	    // Make a call to KDFa to get next iteration
	    CryptKDFa(hash, key, XOR_KEY, contextU, contextV,
		      requestSize, mask, &counter, TRUE);
	    // XOR next piece of the data
	    pm = mask;
	    for(i = hLen < remainBytes ? hLen : remainBytes; i > 0; i--)
		*data++ ^= *pm++;
	}
    return;
}
/* 10.2.6.5 Initialization and shut down */
/* 10.2.6.5.1 CryptInit() */
/* This function is called when the TPM receives a _TPM_Init() indication. */
/* NOTE: The hash algorithms do not have to be tested, they just need to be available. They have to
   be tested before the TPM can accept HMAC authorization or return any result that relies on a hash
   algorithm. */
/* Return Values Meaning */
/* TRUE initializations succeeded */
/* FALSE initialization failed and caller should place the TPM into Failure Mode */
BOOL
CryptInit(
	  void
	  )
{
    BOOL         ok;
    // Initialize the vector of implemented algorithms
    AlgorithmGetImplementedVector(&g_implementedAlgorithms);
    // Indicate that all test are necessary
    CryptInitializeToTest();
    // Do any library initializations that are necessary. If any fails,
    // the caller should go into failure mode;
    ok = SupportLibInit();
    ok = ok && CryptSymInit();
    ok = ok && CryptRandInit();
    ok = ok && CryptHashInit();
#if ALG_RSA
    ok = ok && CryptRsaInit();
#endif // TPM_ALG_RSA
#if ALG_ECC
    ok = ok && CryptEccInit();
#endif // TPM_ALG_ECC
    return ok;
}
/* 10.2.6.5.2 CryptStartup() */
/* This function is called by TPM2_Startup() to initialize the functions in this cryptographic
   library and in the provided CryptoLibrary(). This function and CryptUtilInit() are both provided
   so that the implementation may move the initialization around to get the best interaction. */
/* Return Values Meaning */
/* TRUE startup succeeded */
/* FALSE startup failed and caller should place the TPM into Failure Mode */
BOOL
CryptStartup(
	     STARTUP_TYPE     type           // IN: the startup type
	     )
{
    BOOL            OK;
    NOT_REFERENCED(type);
    OK = CryptSymStartup();
    OK = OK && CryptRandStartup();
    OK = OK && CryptHashStartup();
#if ALG_RSA
    OK = OK && CryptRsaStartup();
#endif // TPM_ALG_RSA
#if ALG_ECC
    OK = OK && CryptEccStartup();
#endif // TPM_ALG_ECC
	 ;
#if ALG_ECC
    // Don't directly check for SU_RESET because that is the default
    if(OK && (type != SU_RESTART) && (type != SU_RESUME))
	{
	    // If the shutdown was orderly, then the values recovered from NV will
	    // be OK to use.
	    // Get a new  random commit nonce
	    gr.commitNonce.t.size = sizeof(gr.commitNonce.t.buffer);
	    CryptRandomGenerate(gr.commitNonce.t.size, gr.commitNonce.t.buffer);
	    // Reset the counter and commit array
	    gr.commitCounter = 0;
	    MemorySet(gr.commitArray, 0, sizeof(gr.commitArray));
	}
#endif // TPM_ALG_ECC
    return OK;
}
/* 10.2.6.6 Algorithm-Independent Functions */
/* 10.2.6.6.1 Introduction */
/* These functions are used generically when a function of a general type (e.g., symmetric
   encryption) is required.  The functions will modify the parameters as required to interface to
   the indicated algorithms. */
/* 10.2.6.6.2 CryptIsAsymAlgorithm() */
/* This function indicates if an algorithm is an asymmetric algorithm. */
/* Return Values Meaning */
/* TRUE if it is an asymmetric algorithm */
/* FALSE if it is not an asymmetric algorithm */
BOOL
CryptIsAsymAlgorithm(
		     TPM_ALG_ID       algID          // IN: algorithm ID
		     )
{
    switch(algID)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
#endif
#if ALG_ECC
	  case TPM_ALG_ECC:
#endif
	    return TRUE;
	    break;
	  default:
	    break;
	}
    return FALSE;
}
/* 10.2.6.6.3 CryptSecretEncrypt() */
/* This function creates a secret value and its associated secret structure using an asymmetric
   algorithm. */
/* This function is used by TPM2_Rewrap() TPM2_MakeCredential(), and TPM2_Duplicate(). */
/* Error Returns Meaning */
/* TPM_RC_ATTRIBUTES keyHandle does not reference a valid decryption key */
/* TPM_RC_KEY invalid ECC key (public point is not on the curve) */
/* TPM_RC_SCHEME RSA key with an unsupported padding scheme */
/* TPM_RC_VALUE numeric value of the data to be decrypted is greater than the RSA key modulus */
TPM_RC
CryptSecretEncrypt(
		   OBJECT                  *encryptKey,    // IN: encryption key object
		   const TPM2B             *label,         // IN: a null-terminated string as L
		   TPM2B_DATA              *data,          // OUT: secret value
		   TPM2B_ENCRYPTED_SECRET  *secret         // OUT: secret structure
		   )
{
    TPMT_RSA_DECRYPT         scheme;
    TPM_RC                   result = TPM_RC_SUCCESS;
    //
    if(data == NULL || secret == NULL)
	return TPM_RC_FAILURE;
    // The output secret value has the size of the digest produced by the nameAlg.
    data->t.size = CryptHashGetDigestSize(encryptKey->publicArea.nameAlg);
    // The encryption scheme is OAEP using the nameAlg of the encrypt key.
    scheme.scheme = TPM_ALG_OAEP;
    scheme.details.anySig.hashAlg = encryptKey->publicArea.nameAlg;
    if(!IS_ATTRIBUTE(encryptKey->publicArea.objectAttributes, TPMA_OBJECT, decrypt))
	return TPM_RC_ATTRIBUTES;
    switch(encryptKey->publicArea.type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	      {
		  // Create secret data from RNG
		  CryptRandomGenerate(data->t.size, data->t.buffer);
		  // Encrypt the data by RSA OAEP into encrypted secret
		  result = CryptRsaEncrypt((TPM2B_PUBLIC_KEY_RSA *)secret, &data->b,
					   encryptKey, &scheme, label, NULL);
	      }
	      break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	      {
		  TPMS_ECC_POINT      eccPublic;
		  TPM2B_ECC_PARAMETER eccPrivate;
		  TPMS_ECC_POINT      eccSecret;
		  BYTE                *buffer = secret->t.secret;
		  // Need to make sure that the public point of the key is on the
		  // curve defined by the key.
		  if(!CryptEccIsPointOnCurve(
					     encryptKey->publicArea.parameters.eccDetail.curveID,
					     &encryptKey->publicArea.unique.ecc))
		      result = TPM_RC_KEY;
		  else
		      {
			  // Call crypto engine to create an auxiliary ECC key
			  // We assume crypt engine initialization should always success.
			  // Otherwise, TPM should go to failure mode.
			  CryptEccNewKeyPair(&eccPublic, &eccPrivate,
					     encryptKey->publicArea.parameters.eccDetail.curveID);
			  // Marshal ECC public to secret structure. This will be used by the
			  // recipient to decrypt the secret with their private key.
			  secret->t.size = TPMS_ECC_POINT_Marshal(&eccPublic, &buffer, NULL);
			  // Compute ECDH shared secret which is R = [d]Q where d is the
			  // private part of the ephemeral key and Q is the public part of a
			  // TPM key. TPM_RC_KEY error return from CryptComputeECDHSecret
			  // because the auxiliary ECC key is just created according to the
			  // parameters of input ECC encrypt key.
			  if(CryptEccPointMultiply(&eccSecret,
						   encryptKey->publicArea.parameters.eccDetail.curveID,
						   &encryptKey->publicArea.unique.ecc, &eccPrivate,
						   NULL, NULL) != TPM_RC_SUCCESS)
			      result = TPM_RC_KEY;
			  else
			      {
				  // The secret value is computed from Z using KDFe as:
				  // secret := KDFe(HashID, Z, Use, PartyUInfo, PartyVInfo, bits)
				  // Where:
				  //  HashID  the nameAlg of the decrypt key
				  //  Z   the x coordinate (Px) of the product (P) of the point
				  //      (Q) of the secret and the private x coordinate (de,V)
				  //      of the decryption key
				  //  Use a null-terminated string containing "SECRET"
				  //  PartyUInfo  the x coordinate of the point in the secret
				  //              (Qe,U )
				  //  PartyVInfo  the x coordinate of the public key (Qs,V )
				  //  bits    the number of bits in the digest of HashID
				  // Retrieve seed from KDFe
				  CryptKDFe(encryptKey->publicArea.nameAlg, &eccSecret.x.b,
					    label, &eccPublic.x.b,
					    &encryptKey->publicArea.unique.ecc.x.b,
					    data->t.size * 8, data->t.buffer);
			      }
		      }
	      }
	      break;
#endif //TPM_ALG_ECC
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    return result;
}
/* 10.2.6.6.4 CryptSecretDecrypt() */
/* Decrypt a secret value by asymmetric (or symmetric) algorithm This function is used for
   ActivateCredential() and Import for asymmetric decryption, and StartAuthSession() for both
   asymmetric and symmetric decryption process */
/* Error Returns Meaning */
/* TPM_RC_ATTRIBUTES RSA key is not a decryption key */
/* TPM_RC_BINDING Invalid RSA key (public and private parts are not cryptographically bound. */
/* TPM_RC_ECC_POINT ECC point in the secret is not on the curve */
/* TPM_RC_INSUFFICIENT failed to retrieve ECC point from the secret */
/* TPM_RC_NO_RESULT multiplication resulted in ECC point at infinity */
/* TPM_RC_SIZE data to decrypt is not of the same size as RSA key */
/* TPM_RC_VALUE For RSA key, numeric value of the encrypted data is greater than the modulus, or the
   recovered data is larger than the output buffer. For keyedHash or symmetric key, the secret is
   larger than the size of the digest produced by the name algorithm. */
/* TPM_RC_FAILURE internal error */
TPM_RC
CryptSecretDecrypt(
		   OBJECT                 *decryptKey,    // IN: decrypt key
		   TPM2B_NONCE             *nonceCaller,   // IN: nonceCaller.  It is needed for
		   //     symmetric decryption.  For
		   //     asymmetric decryption, this
		   //     parameter is NULL
		   const TPM2B             *label,         // IN: a value for L
		   TPM2B_ENCRYPTED_SECRET  *secret,        // IN: input secret
		   TPM2B_DATA              *data           // OUT: decrypted secret value
		   )
{
    TPM_RC      result = TPM_RC_SUCCESS;
    // Decryption for secret
    switch(decryptKey->publicArea.type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	      {
		  TPMT_RSA_DECRYPT        scheme;
		  TPMT_RSA_SCHEME         *keyScheme
		      = &decryptKey->publicArea.parameters.rsaDetail.scheme;
		  UINT16                   digestSize;
		  scheme = *(TPMT_RSA_DECRYPT *)keyScheme;
		  // If the key scheme is TPM_ALG_NULL, set the scheme to OAEP and
		  // set the algorithm to the name algorithm.
		  if(scheme.scheme == TPM_ALG_NULL)
		      {
			  // Use OAEP scheme
			  scheme.scheme = TPM_ALG_OAEP;
			  scheme.details.oaep.hashAlg = decryptKey->publicArea.nameAlg;
		      }
		  // use the digestSize as an indicator of whether or not the scheme
		  // is using a supported hash algorithm.
		  // Note: depending on the scheme used for encryption, a hashAlg might
		  // not be needed. However, the return value has to have some upper
		  // limit on the size. In this case, it is the size of the digest of the
		  // hash algorithm. It is checked after the decryption is done but, there
		  // is no point in doing the decryption if the size is going to be
		  // 'wrong' anyway.
		  digestSize = CryptHashGetDigestSize(scheme.details.oaep.hashAlg);
		  if(scheme.scheme != TPM_ALG_OAEP || digestSize == 0)
		      return TPM_RC_SCHEME;
		  // Set the output buffer capacity
		  data->t.size = sizeof(data->t.buffer);
		  // Decrypt seed by RSA OAEP
		  result = CryptRsaDecrypt(&data->b, &secret->b,
					   decryptKey, &scheme, label);
		  if((result == TPM_RC_SUCCESS) && (data->t.size > digestSize))
		      result = TPM_RC_VALUE;
	      }
	      break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	      {
		  TPMS_ECC_POINT       eccPublic;
		  TPMS_ECC_POINT       eccSecret;
		  BYTE                *buffer = secret->t.secret;
		  INT32                size = secret->t.size;
		  // Retrieve ECC point from secret buffer
		  result = TPMS_ECC_POINT_Unmarshal(&eccPublic, &buffer, &size);
		  if(result == TPM_RC_SUCCESS)
		      {
			  result = CryptEccPointMultiply(&eccSecret,
							 decryptKey->publicArea.parameters.eccDetail.curveID,
							 &eccPublic, &decryptKey->sensitive.sensitive.ecc,
							 NULL, NULL);
			  if(result == TPM_RC_SUCCESS)
			      {
				  // Set the size of the "recovered" secret value to be the size
				  // of the digest produced by the nameAlg.
				  data->t.size =
				      CryptHashGetDigestSize(decryptKey->publicArea.nameAlg);
				  // The secret value is computed from Z using KDFe as:
				  // secret := KDFe(HashID, Z, Use, PartyUInfo, PartyVInfo, bits)
				  // Where:
				  //  HashID -- the nameAlg of the decrypt key
				  //  Z --  the x coordinate (Px) of the product (P) of the point
				  //        (Q) of the secret and the private x coordinate (de,V)
				  //        of the decryption key
				  //  Use -- a null-terminated string containing "SECRET"
				  //  PartyUInfo -- the x coordinate of the point in the secret
				  //              (Qe,U )
				  //  PartyVInfo -- the x coordinate of the public key (Qs,V )
				  //  bits -- the number of bits in the digest of HashID
				  // Retrieve seed from KDFe
				  CryptKDFe(decryptKey->publicArea.nameAlg, &eccSecret.x.b, label,
					    &eccPublic.x.b,
					    &decryptKey->publicArea.unique.ecc.x.b,
					    data->t.size * 8, data->t.buffer);
			      }
		      }
	      }
	      break;
#endif //TPM_ALG_ECC
#if !ALG_KEYEDHASH
#   error   "KEYEDHASH support is required"
#endif
	  case TPM_ALG_KEYEDHASH:
	    // The seed size can not be bigger than the digest size of nameAlg
	    if(secret->t.size >
	       CryptHashGetDigestSize(decryptKey->publicArea.nameAlg))
		result = TPM_RC_VALUE;
	    else
		{
		    // Retrieve seed by XOR Obfuscation:
		    //    seed = XOR(secret, hash, key, nonceCaller, nullNonce)
		    //    where:
		    //    secret  the secret parameter from the TPM2_StartAuthHMAC
		    //            command that contains the seed value
		    //    hash    nameAlg  of tpmKey
		    //    key     the key or data value in the object referenced by
		    //            entityHandle in the TPM2_StartAuthHMAC command
		    //    nonceCaller the parameter from the TPM2_StartAuthHMAC command
		    //    nullNonce   a zero-length nonce
		    // XOR Obfuscation in place
		    CryptXORObfuscation(decryptKey->publicArea.nameAlg,
					&decryptKey->sensitive.sensitive.bits.b,
					&nonceCaller->b, NULL,
					secret->t.size, secret->t.secret);
		    // Copy decrypted seed
		    MemoryCopy2B(&data->b, &secret->b, sizeof(data->t.buffer));
		}
	    break;
	  case TPM_ALG_SYMCIPHER:
	      {
		  TPM2B_IV                iv = {{0}};
		  TPMT_SYM_DEF_OBJECT     *symDef;
		  // The seed size can not be bigger than the digest size of nameAlg
		  if(secret->t.size >
		     CryptHashGetDigestSize(decryptKey->publicArea.nameAlg))
		      result = TPM_RC_VALUE;
		  else
		      {
			  symDef = &decryptKey->publicArea.parameters.symDetail.sym;
			  iv.t.size = CryptGetSymmetricBlockSize(symDef->algorithm,
								 symDef->keyBits.sym);
			  if(iv.t.size == 0)
			      return TPM_RC_FAILURE;
			  if(nonceCaller->t.size >= iv.t.size)
			      {
				  MemoryCopy(iv.t.buffer, nonceCaller->t.buffer, iv.t.size);
			      }
			  else
			      {
				  if(nonceCaller->t.size > sizeof(iv.t.buffer))
				      return TPM_RC_FAILURE;
				  MemoryCopy(iv.t.buffer, nonceCaller->t.buffer,  // libtpms changed: use iv.t.buffer
					     nonceCaller->t.size);
			      }
			  // make sure secret will fit
			  if(secret->t.size > data->t.size)
			      return TPM_RC_FAILURE;
			  data->t.size = secret->t.size;
			  // CFB decrypt, using nonceCaller as iv
			  CryptSymmetricDecrypt(data->t.buffer, symDef->algorithm,
						symDef->keyBits.sym,
						decryptKey->sensitive.sensitive.sym.t.buffer,
						&iv, TPM_ALG_CFB, secret->t.size,
						secret->t.secret);
		      }
	      }
	      break;
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    return result;
}
/* 10.2.6.6.5 CryptParameterEncryption() */
/* This function does in-place encryption of a response parameter. */
void
CryptParameterEncryption(
			 TPM_HANDLE       handle,            // IN: encrypt session handle
			 TPM2B           *nonceCaller,       // IN: nonce caller
			 UINT16           leadingSizeInByte, // IN: the size of the leading size field in
			 //     bytes
			 TPM2B_AUTH      *extraKey,          // IN: additional key material other than
			 //     sessionAuth
			 BYTE            *buffer             // IN/OUT: parameter buffer to be encrypted
			 )
{
    SESSION     *session = SessionGet(handle);  // encrypt session
    TPM2B_TYPE(TEMP_KEY, (sizeof(extraKey->t.buffer)
			  + sizeof(session->sessionKey.t.buffer)));
    TPM2B_TEMP_KEY        key;               // encryption key
    UINT32               cipherSize = 0;    // size of cipher text
    // Retrieve encrypted data size.
    if(leadingSizeInByte == 2)
	{
	    // Extract the first two bytes as the size field as the data size
	    // encrypt
	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
	    // advance the buffer
	    buffer = &buffer[2];
	}
#ifdef      TPM4B
    else if(leadingSizeInByte == 4)
	{
	    // use the first four bytes to indicate the number of bytes to encrypt
	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
	    //advance pointer
	    buffer = &buffer[4];
	}
#endif
    else
	{
	    FAIL(FATAL_ERROR_INTERNAL);
	}
    // Compute encryption key by concatenating sessionKey with extra key
    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
    MemoryConcat2B(&key.b, &extraKey->b, sizeof(key.t.buffer));
    if(session->symmetric.algorithm == TPM_ALG_XOR)
	// XOR parameter encryption formulation:
	//    XOR(parameter, hash, sessionAuth, nonceNewer, nonceOlder)
	CryptXORObfuscation(session->authHashAlg, &(key.b),
			    &(session->nonceTPM.b),
			    nonceCaller, cipherSize, buffer);
    else
	ParmEncryptSym(session->symmetric.algorithm, session->authHashAlg,
		       session->symmetric.keyBits.aes, &(key.b),
		       nonceCaller, &(session->nonceTPM.b),
		       cipherSize, buffer);
    return;
}
/* 10.2.6.6.6 CryptParameterDecryption() */
/* This function does in-place decryption of a command parameter. */
/* Error Returns Meaning */
/* TPM_RC_SIZE The number of bytes in the input buffer is less than the number of bytes to be
   decrypted. */
TPM_RC
CryptParameterDecryption(
			 TPM_HANDLE       handle,            // IN: encrypted session handle
			 TPM2B           *nonceCaller,       // IN: nonce caller
			 UINT32           bufferSize,        // IN: size of parameter buffer
			 UINT16           leadingSizeInByte, // IN: the size of the leading size field in
			 //     byte
			 TPM2B_AUTH      *extraKey,          // IN: the authValue
			 BYTE            *buffer             // IN/OUT: parameter buffer to be decrypted
			 )
{
    SESSION         *session = SessionGet(handle);  // encrypt session
    // The HMAC key is going to be the concatenation of the session key and any
    // additional key material (like the authValue). The size of both of these
    // is the size of the buffer which can contain a TPMT_HA.
    TPM2B_TYPE(HMAC_KEY, (sizeof(extraKey->t.buffer)
			  + sizeof(session->sessionKey.t.buffer)));
    TPM2B_HMAC_KEY          key;            // decryption key
    UINT32                  cipherSize = 0; // size of cipher text
    // Retrieve encrypted data size.
    if(leadingSizeInByte == 2)
	{
	    // The first two bytes of the buffer are the size of the
	    // data to be decrypted
	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
	    buffer = &buffer[2];   // advance the buffer
	}
#ifdef  TPM4B
    else if(leadingSizeInByte == 4)
	{
	    // the leading size is four bytes so get the four byte size field
	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
	    buffer = &buffer[4];   //advance pointer
	}
#endif
    else
	{
	    FAIL(FATAL_ERROR_INTERNAL);
	}
    if(cipherSize > bufferSize)
	return TPM_RC_SIZE;
    // Compute decryption key by concatenating sessionAuth with extra input key
    MemoryCopy2B(&key.b, &session->sessionKey.b, sizeof(key.t.buffer));
    MemoryConcat2B(&key.b, &extraKey->b, sizeof(key.t.buffer));
    if(session->symmetric.algorithm == TPM_ALG_XOR)
	// XOR parameter decryption formulation:
	//    XOR(parameter, hash, sessionAuth, nonceNewer, nonceOlder)
	// Call XOR obfuscation function
	CryptXORObfuscation(session->authHashAlg, &key.b, nonceCaller,
			    &(session->nonceTPM.b), cipherSize, buffer);
    else
	// Assume that it is one of the symmetric block ciphers.
	ParmDecryptSym(session->symmetric.algorithm, session->authHashAlg,
		       session->symmetric.keyBits.sym,
		       &key.b, nonceCaller, &session->nonceTPM.b,
		       cipherSize, buffer);
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.7 CryptComputeSymmetricUnique() */
/* This function computes the unique field in public area for symmetric objects. */
void
CryptComputeSymmetricUnique(
			    TPMT_PUBLIC     *publicArea,    // IN: the object's public area
			    TPMT_SENSITIVE  *sensitive,     // IN: the associated sensitive area
			    TPM2B_DIGEST    *unique         // OUT: unique buffer
			    )
{
    // For parents (symmetric and derivation), use an HMAC to compute
    // the 'unique' field
    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, restricted)
       && IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, decrypt))
	{
	    // Unique field is HMAC(sensitive->seedValue, sensitive->sensitive)
	    HMAC_STATE      hmacState;
	    unique->b.size = CryptHmacStart2B(&hmacState, publicArea->nameAlg,
					      &sensitive->seedValue.b);
	    CryptDigestUpdate2B(&hmacState.hashState,
				&sensitive->sensitive.any.b);
	    CryptHmacEnd2B(&hmacState, &unique->b);
	}
    else
	{
	    HASH_STATE  hashState;
	    // Unique := Hash(sensitive->seedValue || sensitive->sensitive)
	    unique->t.size = CryptHashStart(&hashState, publicArea->nameAlg);
	    CryptDigestUpdate2B(&hashState, &sensitive->seedValue.b);
	    CryptDigestUpdate2B(&hashState, &sensitive->sensitive.any.b);
	    CryptHashEnd2B(&hashState, &unique->b);
	}
    return;
}
/* 10.2.6.6.8 CryptCreateObject() */
/* This function creates an object. For an asymmetric key, it will create a key pair and, for a
   parent key, a seed value for child protections. */
/* For an symmetric object, (TPM_ALG_SYMCIPHER or TPM_ALG_KEYEDHASH), it will create a secret key if
   the caller did not provide one. It will create a random secret seed value that is hashed with the
   secret value to create the public unique value. */
/* publicArea, sensitive, and sensitiveCreate are the only required parameters and are the only ones
   that are used by TPM2_Create(). The other parameters are optional and are used when the generated
   Object needs to be deterministic. This is the case for both Primary Objects and Derived
   Objects. */
/* When a seed value is provided, a RAND_STATE will be populated and used for all operations in the
   object generation that require a random number. In the simplest case, TPM2_CreatePrimary() will
   use seed, label and context with context being the hash of the template. If the Primary Object is
   in the Endorsement hierarchy, it will also populate proof with ehProof. */
/* For derived keys, seed will be the secret value from the parent, label and context will be set
   according to the parameters of TPM2_CreateLoaded() and hashAlg will be set which causes the RAND_STATE
   to be a KDF generator. */
/* Error Returns Meaning */
/* TPM_RC_KEY a provided key is not an allowed value */
/* TPM_RC_KEY_SIZE key size in the public area does not match the size in the sensitive creation
   area for a symmetric key */
/* TPM_RC_NO_RESULT unable to get random values (only in derivation) */
/* TPM_RC_RANGE for an RSA key, the exponent is not supported */
/* TPM_RC_SIZE sensitive data size is larger than allowed for the scheme for a keyed hash object */
/* TPM_RC_VALUE exponent is not prime or could not find a prime using the provided parameters for an
   RSA key; unsupported name algorithm for an ECC key */
TPM_RC
CryptCreateObject(
		  OBJECT                  *object,            // IN: new object structure pointer
		  TPMS_SENSITIVE_CREATE   *sensitiveCreate,   // IN: sensitive creation
		  RAND_STATE              *rand               // IN: the random number generator
		  //      to use
		  )
{
    TPMT_PUBLIC             *publicArea = &object->publicArea;
    TPMT_SENSITIVE          *sensitive = &object->sensitive;
    TPM_RC                   result = TPM_RC_SUCCESS;
    //
    // Set the sensitive type for the object
    sensitive->sensitiveType = publicArea->type;
    // For all objects, copy the initial authorization data
    sensitive->authValue = sensitiveCreate->userAuth;
    // If the TPM is the source of the data, set the size of the provided data to
    // zero so that there's no confusion about what to do.
    if(IS_ATTRIBUTE(publicArea->objectAttributes,
		    TPMA_OBJECT, sensitiveDataOrigin))
	sensitiveCreate->data.t.size = 0;
    // Generate the key and unique fields for the asymmetric keys and just the
    // sensitive value for symmetric object
    switch(publicArea->type)
	{
#if ALG_RSA
	    // Create RSA key
	  case TPM_ALG_RSA:
	    // RSA uses full object so that it has a place to put the private
	    // exponent
	    result = CryptRsaGenerateKey(object, rand);
	    break;
#endif // TPM_ALG_RSA
#if ALG_ECC
	    // Create ECC key
	  case TPM_ALG_ECC:
	    result = CryptEccGenerateKey(publicArea, sensitive, rand);
	    break;
#endif // TPM_ALG_ECC
	  case TPM_ALG_SYMCIPHER:
	    result = CryptGenerateKeySymmetric(publicArea, sensitive,
					       sensitiveCreate, rand);
	    break;
	  case TPM_ALG_KEYEDHASH:
	    result = CryptGenerateKeyedHash(publicArea, sensitive,
					    sensitiveCreate, rand);
	    break;
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    if(result != TPM_RC_SUCCESS)
	return result;
    // Create the sensitive seed value
    // If this is a primary key in the endorsement hierarchy, stir the DRBG state
    // This implementation uses both shProof and ehProof to make sure that there
    // is no leakage of either.
    if(object->attributes.primary && object->attributes.epsHierarchy)
	{
	    DRBG_AdditionalData((DRBG_STATE *)rand, &gp.shProof.b);
	    DRBG_AdditionalData((DRBG_STATE *)rand, &gp.ehProof.b);
	}
    // Generate a seedValue that is the size of the digest produced by nameAlg
    sensitive->seedValue.t.size =
	DRBG_Generate(rand, object->sensitive.seedValue.t.buffer,
		      CryptHashGetDigestSize(publicArea->nameAlg));
    if(g_inFailureMode)
	return TPM_RC_FAILURE;
    else if(sensitive->seedValue.t.size == 0)
	return TPM_RC_NO_RESULT;
    // For symmetric objects, need to compute the unique value for the public area
    if(publicArea->type == TPM_ALG_SYMCIPHER
       || publicArea->type == TPM_ALG_KEYEDHASH)
	{
	    CryptComputeSymmetricUnique(publicArea, sensitive,
					&publicArea->unique.sym);
	}
    else
	{
	    // if this is an asymmetric key and it isn't a parent, then
	    // get rid of the seed.
	    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, sign)
	       || !IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, restricted))
		memset(&sensitive->seedValue, 0,
		       sizeof(sensitive->seedValue));
	}
    // Compute the name
    PublicMarshalAndComputeName(publicArea, &object->name);
    return result;
}
/* 10.2.6.6.9 CryptGetSignHashAlg() */
/* Get the hash algorithm of signature from a TPMT_SIGNATURE structure. It assumes the signature is
   not NULL This is a function for easy access */
TPMI_ALG_HASH
CryptGetSignHashAlg(
		    TPMT_SIGNATURE  *auth           // IN: signature
		    )
{
    if(auth->sigAlg == TPM_ALG_NULL)
	FAIL(FATAL_ERROR_INTERNAL);
    // Get authHash algorithm based on signing scheme
    switch(auth->sigAlg)
	{
#if ALG_RSA
	    // If RSA is supported, both RSASSA and RSAPSS are required
#   if !defined TPM_ALG_RSASSA || !defined TPM_ALG_RSAPSS
#       error "RSASSA and RSAPSS are required for RSA"
#   endif
	  case TPM_ALG_RSASSA:
	    return auth->signature.rsassa.hash;
	  case TPM_ALG_RSAPSS:
	    return auth->signature.rsapss.hash;
#endif //TPM_ALG_RSA
#if ALG_ECC
	    // If ECC is defined, ECDSA is mandatory
#   ifndef  TPM_ALG_ECDSA
#       error "ECDSA is required for ECC"
#   endif
	  case TPM_ALG_ECDSA:
	    // SM2 and ECSCHNORR are optional
#   if ALG_SM2
	  case TPM_ALG_SM2:
#   endif
#   if ALG_ECSCHNORR
	  case TPM_ALG_ECSCHNORR:
#   endif
	    //all ECC signatures look the same
	    return auth->signature.ecdsa.hash;
#   if ALG_ECDAA
	    // Don't know how to verify an ECDAA signature
	  case TPM_ALG_ECDAA:
	    break;
#   endif
#endif //TPM_ALG_ECC
	  case TPM_ALG_HMAC:
	    return auth->signature.hmac.hashAlg;
	  default:
	    break;
	}
    return TPM_ALG_NULL;
}
/* 10.2.6.6.10 CryptIsSplitSign() */
/* This function us used to determine if the signing operation is a split signing operation that
   required a TPM2_Commit(). */
BOOL
CryptIsSplitSign(
		 TPM_ALG_ID       scheme         // IN: the algorithm selector
		 )
{
    switch(scheme)
	{
#   if ALG_ECDAA
	  case TPM_ALG_ECDAA:
	    return TRUE;
	    break;
#   endif   // TPM_ALG_ECDAA
	  default:
	    return FALSE;
	    break;
	}
}
/* 10.2.6.6.11 CryptIsAsymSignScheme() */
/* This function indicates if a scheme algorithm is a sign algorithm. */
BOOL
CryptIsAsymSignScheme(
		      TPMI_ALG_PUBLIC          publicType,        // IN: Type of the object
		      TPMI_ALG_ASYM_SCHEME     scheme             // IN: the scheme
		      )
{
    BOOL            isSignScheme = TRUE;
    switch(publicType)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    switch(scheme)
		{
#   if !defined TPM_ALG_RSASSA  || !defined TPM_ALG_RSAPSS
#       error "RSASSA and PSAPSS required if RSA used."
#   endif
		  case TPM_ALG_RSASSA:
		  case TPM_ALG_RSAPSS:
		    break;
		  default:
		    isSignScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	    // If ECC is implemented ECDSA is required
	  case TPM_ALG_ECC:
	    switch(scheme)
		{
		    // Support for ECDSA is required for ECC
		  case TPM_ALG_ECDSA:
#if ALG_ECDAA // ECDAA is optional
		  case TPM_ALG_ECDAA:
#endif
#if ALG_ECSCHNORR // Schnorr is also optional
		  case TPM_ALG_ECSCHNORR:
#endif
#if ALG_SM2 // SM2 is optional
		  case TPM_ALG_SM2:
#endif
		    break;
		  default:
		    isSignScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_ECC
	  default:
	    isSignScheme = FALSE;
	    break;
	}
    return isSignScheme;
}
/* 10.2.6.6.12 CryptIsAsymDecryptScheme() */
/* This function indicate if a scheme algorithm is a decrypt algorithm. */
BOOL
CryptIsAsymDecryptScheme(
			 TPMI_ALG_PUBLIC          publicType,        // IN: Type of the object
			 TPMI_ALG_ASYM_SCHEME     scheme             // IN: the scheme
			 )
{
    BOOL        isDecryptScheme = TRUE;
    switch(publicType)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    switch(scheme)
		{
		  case TPM_ALG_RSAES:
		  case TPM_ALG_OAEP:
		    break;
		  default:
		    isDecryptScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	    // If ECC is implemented ECDH is required
	  case TPM_ALG_ECC:
	    switch(scheme)
		{
#if !ALG_ECDH
#   error "ECDH is required for ECC"
#endif
		  case TPM_ALG_ECDH:
#if ALG_SM2
		  case TPM_ALG_SM2:
#endif
#if ALG_ECMQV
		  case TPM_ALG_ECMQV:
#endif
		    break;
		  default:
		    isDecryptScheme = FALSE;
		    break;
		}
	    break;
#endif //TPM_ALG_ECC
	  default:
	    isDecryptScheme = FALSE;
	    break;
	}
    return isDecryptScheme;
}
/* 10.2.6.6.13 CryptSelectSignScheme() */
/* This function is used by the attestation and signing commands.  It implements the rules for
   selecting the signature scheme to use in signing. This function requires that the signing key
   either be TPM_RH_NULL or be loaded. */
/* If a default scheme is defined in object, the default scheme should be chosen, otherwise, the
   input scheme should be chosen. In the case that both object and input scheme has a non-NULL
   scheme algorithm, if the schemes are compatible, the input scheme will be chosen. */
/* This function should not be called if 'signObject->publicArea.type' == TPM_ALG_SYMCIPHER. */
/* Return Values Meaning */
/* TRUE scheme selected */
/* FALSE both scheme and key's default scheme are empty; or scheme is empty while key's default
   scheme requires explicit input scheme (split signing); or non-empty default key scheme differs
   from scheme */
BOOL
CryptSelectSignScheme(
		      OBJECT              *signObject,    // IN: signing key
		      TPMT_SIG_SCHEME     *scheme         // IN/OUT: signing scheme
		      )
{
    TPMT_SIG_SCHEME     *objectScheme;
    TPMT_PUBLIC         *publicArea;
    BOOL                 OK;
    // If the signHandle is TPM_RH_NULL, then the NULL scheme is used, regardless
    // of the setting of scheme
    if(signObject == NULL)
	{
	    OK = TRUE;
	    scheme->scheme = TPM_ALG_NULL;
	    scheme->details.any.hashAlg = TPM_ALG_NULL;
	}
    else
	{
	    // assignment to save typing.
	    publicArea = &signObject->publicArea;
	    // A symmetric cipher can be used to encrypt and decrypt but it can't
	    // be used for signing
	    if(publicArea->type == TPM_ALG_SYMCIPHER)
		return FALSE;
	    // Point to the scheme object
	    if(CryptIsAsymAlgorithm(publicArea->type))
		objectScheme =
		    (TPMT_SIG_SCHEME *)&publicArea->parameters.asymDetail.scheme;
	    else
		objectScheme =
		    (TPMT_SIG_SCHEME *)&publicArea->parameters.keyedHashDetail.scheme;
	    // If the object doesn't have a default scheme, then use the
	    // input scheme.
	    if(objectScheme->scheme == TPM_ALG_NULL)
		{
		    // Input and default can't both be NULL
		    OK = (scheme->scheme != TPM_ALG_NULL);
		    // Assume that the scheme is compatible with the key. If not,
		    // an error will be generated in the signing operation.
		}
	    else if(scheme->scheme == TPM_ALG_NULL)
		{
		    // input scheme is NULL so use default
		    // First, check to see if the default requires that the caller
		    // provided scheme data
		    OK = !CryptIsSplitSign(objectScheme->scheme);
		    if(OK)
			{
			    // The object has a scheme and the input is TPM_ALG_NULL so copy
			    // the object scheme as the final scheme. It is better to use a
			    // structure copy than a copy of the individual fields.
			    *scheme = *objectScheme;
			}
		}
	    else
		{
		    // Both input and object have scheme selectors
		    // If the scheme and the hash are not the same then...
		    // NOTE: the reason that there is no copy here is that the input
		    // might contain extra data for a split signing scheme and that
		    // data is not in the object so, it has to be preserved.
		    OK = (objectScheme->scheme == scheme->scheme)
			 && (objectScheme->details.any.hashAlg
			     == scheme->details.any.hashAlg);
		}
	}
    return OK;
}
/* 10.2.6.6.14 CryptSign() */
/* Sign a digest with asymmetric key or HMAC. This function is called by attestation commands and
   the generic TPM2_Sign() command. This function checks the key scheme and digest size.  It does
   not check if the sign operation is allowed for restricted key.  It should be checked before the
   function is called. The function will assert if the key is not a signing key. */
/* Error Returns Meaning */
/* TPM_RC_SCHEME signScheme is not compatible with the signing key type */
/* TPM_RC_VALUE digest value is greater than the modulus of signHandle or size of hashData does not
   match hash algorithm insignScheme (for an RSA key); invalid commit status or failed to generate r
   value (for an ECC key) */
TPM_RC
CryptSign(
	  OBJECT              *signKey,       // IN: signing key
	  TPMT_SIG_SCHEME     *signScheme,    // IN: sign scheme.
	  TPM2B_DIGEST        *digest,        // IN: The digest being signed
	  TPMT_SIGNATURE      *signature      // OUT: signature
	  )
{
    TPM_RC               result = TPM_RC_SCHEME;
    // Initialize signature scheme
    signature->sigAlg = signScheme->scheme;
    // If the signature algorithm is TPM_ALG_NULL or the signing key is NULL,
    // then we are done
    if((signature->sigAlg == TPM_ALG_NULL) || (signKey == NULL))
	return TPM_RC_SUCCESS;
    // Initialize signature hash
    // Note: need to do the check for TPM_ALG_NULL first because the null scheme
    // doesn't have a hashAlg member.
    signature->signature.any.hashAlg = signScheme->details.any.hashAlg;
    // perform sign operation based on different key type
    switch(signKey->publicArea.type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    result = CryptRsaSign(signature, signKey, digest, NULL);
	    break;
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	    // The reason that signScheme is passed to CryptEccSign but not to the
	    // other signing methods is that the signing for ECC may be split and
	    // need the 'r' value that is in the scheme but not in the signature.
	    result = CryptEccSign(signature, signKey, digest,
				  (TPMT_ECC_SCHEME *)signScheme, NULL);
	    break;
#endif //TPM_ALG_ECC
	  case TPM_ALG_KEYEDHASH:
	    result = CryptHmacSign(signature, signKey, digest);
	    break;
	  default:
	    FAIL(FATAL_ERROR_INTERNAL);
	    break;
	}
    return result;
}
/* 10.2.6.6.15 CryptValidateSignature() */
/* This function is used to verify a signature.  It is called by TPM2_VerifySignature() and
   TPM2_PolicySigned(). */
/* Since this operation only requires use of a public key, no consistency checks are necessary for
   the key to signature type because a caller can load any public key that they like with any scheme
   that they like. This routine simply makes sure that the signature is correct, whatever the
   type. */
/* Error Returns Meaning */
/* TPM_RC_SIGNATURE the signature is not genuine */
/* TPM_RC_SCHEME the scheme is not supported */
/* TPM_RC_HANDLE an HMAC key was selected but the private part of the key is not loaded */
TPM_RC
CryptValidateSignature(
		       TPMI_DH_OBJECT   keyHandle,     // IN: The handle of sign key
		       TPM2B_DIGEST    *digest,        // IN: The digest being validated
		       TPMT_SIGNATURE  *signature      // IN: signature
		       )
{
    // NOTE: HandleToObject will either return a pointer to a loaded object or
    // will assert. It will never return a non-valid value. This makes it save
    // to initialize 'publicArea' with the return value from HandleToObject()
    // without checking it first.
    OBJECT              *signObject = HandleToObject(keyHandle);
    TPMT_PUBLIC         *publicArea = &signObject->publicArea;
    TPM_RC               result = TPM_RC_SCHEME;
    // The input unmarshaling should prevent any input signature from being
    // a NULL signature, but just in case
    if(signature->sigAlg == TPM_ALG_NULL)
	return TPM_RC_SIGNATURE;
    switch(publicArea->type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	      {
		  //
		  // Call RSA code to verify signature
		  result = CryptRsaValidateSignature(signature, signObject, digest);
		  break;
	      }
#endif //TPM_ALG_RSA
#if ALG_ECC
	  case TPM_ALG_ECC:
	    result = CryptEccValidateSignature(signature, signObject, digest);
	    break;
#endif // TPM_ALG_ECC
	  case TPM_ALG_KEYEDHASH:
	    if(signObject->attributes.publicOnly)
		result = TPM_RCS_HANDLE;
	    else
		result = CryptHMACVerifySignature(signObject, digest, signature);
	    break;
	  default:
	    break;
	}
    return result;
}
/* 10.2.6.6.16 CryptGetTestResult */
/* This function returns the results of a self-test function. */
/* NOTE: the behavior in this function is NOT the correct behavior for a real TPM implementation.
   An artificial behavior is placed here due to the limitation of a software simulation environment.
   For the correct behavior, consult the part 3 specification for TPM2_GetTestResult(). */
TPM_RC
CryptGetTestResult(
		   TPM2B_MAX_BUFFER    *outData        // OUT: test result data
		   )
{
    outData->t.size = 0;
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.17 CryptValidateKeys() */
/* This function is used to verify that the key material of an object is valid. For a publicOnly
   object, the key is verified for size and, if it is an ECC key, it is verified to be on the
   specified curve. For a key with a sensitive area, the binding between the public and private
   parts of the key are verified. If the nameAlg of the key is TPM_ALG_NULL, then the size of the
   sensitive area is verified but the public portion is not verified, unless the key is an RSA
   key. For an RSA key, the reason for loading the sensitive area is to use it. The only way to use
   a private RSA key is to compute the private exponent. To compute the private exponent, the public
   modulus is used. */
/* Error Returns Meaning */
/* TPM_RC_BINDING the public and private parts are not cryptographically bound */
/* TPM_RC_HASH cannot have a publicOnly key with nameAlg of TPM_ALG_NULL */
/* TPM_RC_KEY the public unique is not valid */
/* TPM_RC_KEY_SIZE the private area key is not valid */
/* TPM_RC_TYPE the types of the sensitive and private parts do not match */
TPM_RC
CryptValidateKeys(
		  TPMT_PUBLIC      *publicArea,
		  TPMT_SENSITIVE   *sensitive,
		  TPM_RC            blamePublic,
		  TPM_RC            blameSensitive
		  )
{
    TPM_RC               result;
    UINT16               keySizeInBytes;
    UINT16               digestSize = CryptHashGetDigestSize(publicArea->nameAlg);
    TPMU_PUBLIC_PARMS   *params = &publicArea->parameters;
    TPMU_PUBLIC_ID      *unique = &publicArea->unique;
    if(sensitive != NULL)
	{
	    // Make sure that the types of the public and sensitive are compatible
	    if(publicArea->type != sensitive->sensitiveType)
		return TPM_RCS_TYPE + blameSensitive;
	    // Make sure that the authValue is not bigger than allowed
	    // If there is no name algorithm, then the size just needs to be less than
	    // the maximum size of the buffer used for authorization. That size check
	    // was made during unmarshaling of the sensitive area
	    if((sensitive->authValue.t.size) > digestSize && (digestSize > 0))
		return TPM_RCS_SIZE + blameSensitive;
	}
    switch(publicArea->type)
	{
#if ALG_RSA
	  case TPM_ALG_RSA:
	    keySizeInBytes = BITS_TO_BYTES(params->rsaDetail.keyBits);
	    // Regardless of whether there is a sensitive area, the public modulus
	    // needs to have the correct size. Otherwise, it can't be used for
	    // any public key operation nor can it be used to compute the private
	    // exponent.
	    // NOTE: This implementation only supports key sizes that are multiples
	    // of 1024 bits which means that the MSb of the 0th byte will always be
	    // SET in either a prime or the public modulus.
	    if((unique->rsa.t.size != keySizeInBytes)
	       || (unique->rsa.t.buffer[0] < 0x80))
		return TPM_RCS_KEY + blamePublic;
	    if(params->rsaDetail.exponent != 0
	       && params->rsaDetail.exponent < 7)
		return TPM_RCS_VALUE + blamePublic;
	    if(sensitive != NULL)
		{
		    // If there is a sensitive area, it has to be the correct size
		    // including having the correct high order bit SET.
		    if(((sensitive->sensitive.rsa.t.size * 2) != keySizeInBytes)
		       || (sensitive->sensitive.rsa.t.buffer[0] < 0x80))
			return TPM_RCS_KEY_SIZE + blameSensitive;
		}
	    break;
#endif
#if ALG_ECC
	  case TPM_ALG_ECC:
	      {
		  TPMI_ECC_CURVE      curveId;
		  curveId = params->eccDetail.curveID;
		  keySizeInBytes = BITS_TO_BYTES(CryptEccGetKeySizeForCurve(curveId));
		  if(sensitive == NULL)
		      {
			  // Validate the public key size
			  if(unique->ecc.x.t.size != keySizeInBytes
			     || unique->ecc.y.t.size != keySizeInBytes)
			      return TPM_RCS_KEY + blamePublic;
			  if(publicArea->nameAlg != TPM_ALG_NULL)
			      {
				  if(!CryptEccIsPointOnCurve(curveId, &unique->ecc))
				      return TPM_RCS_ECC_POINT + blamePublic;
			      }
		      }
		  else
		      {
			  // If the nameAlg is TPM_ALG_NULL, then only verify that the
			  // private part of the key is OK.
			  if(!CryptEccIsValidPrivateKey(&sensitive->sensitive.ecc,
							curveId))
			      return TPM_RCS_KEY_SIZE;
			  if(publicArea->nameAlg != TPM_ALG_NULL)
			      {
				  // Full key load, verify that the public point belongs to the
				  // private key.
				  TPMS_ECC_POINT          toCompare;
				  result = CryptEccPointMultiply(&toCompare, curveId, NULL,
								 &sensitive->sensitive.ecc,
								 NULL, NULL);
				  if(result != TPM_RC_SUCCESS)
				      return TPM_RCS_BINDING;
				  else
				      {
					  // Make sure that the private key generated the public key.
					  // The input values and the values produced by the point
					  // multiply may not be the same size so adjust the computed
					  // value to match the size of the input value by adding or
					  // removing zeros.
					  AdjustNumberB(&toCompare.x.b, unique->ecc.x.t.size);
					  AdjustNumberB(&toCompare.y.b, unique->ecc.y.t.size);
					  if(!MemoryEqual2B(&unique->ecc.x.b, &toCompare.x.b)
					     || !MemoryEqual2B(&unique->ecc.y.b, &toCompare.y.b))
					      return TPM_RCS_BINDING;
				      }
			      }
		      }
		  break;
	      }
#endif
	  default:
	    // Checks for SYMCIPHER and KEYEDHASH are largely the same
	    // If public area has a nameAlg, then validate the public area size
	    // and if there is also a sensitive area, validate the binding
	    // For consistency, if the object is public-only just make sure that
	    // the unique field is consistent with the name algorithm
	    if(sensitive == NULL)
		{
		    if(unique->sym.t.size != digestSize)
			return TPM_RCS_KEY + blamePublic;
		}
	    else
		{
		    // Make sure that the key size in the sensitive area is consistent.
		    if(publicArea->type == TPM_ALG_SYMCIPHER)
			{
			    result = CryptSymKeyValidate(&params->symDetail.sym,
							 &sensitive->sensitive.sym);
			    if(result != TPM_RC_SUCCESS)
				return result + blameSensitive;
			}
		    else
			{
			    // For a keyed hash object, the key has to be less than the
			    // smaller of the block size of the hash used in the scheme or
			    // 128 bytes. The worst case value is limited by the
			    // unmarshaling code so the only thing left to be checked is
			    // that it does not exceed the block size of the hash.
			    // by the hash algorithm of the scheme.
			    TPMT_KEYEDHASH_SCHEME       *scheme;
			    UINT16                       maxSize;
			    scheme = &params->keyedHashDetail.scheme;
			    if(scheme->scheme == TPM_ALG_XOR)
				{
				    maxSize = CryptHashGetBlockSize(scheme->details.xorr.hashAlg);
				}
			    else if(scheme->scheme == TPM_ALG_HMAC)
				{
				    maxSize = CryptHashGetBlockSize(scheme->details.hmac.hashAlg);
				}
			    else if(scheme->scheme == TPM_ALG_NULL)
				{
				    // Not signing or xor so must be a data block
				    maxSize = 128;
				}
			    else
				return TPM_RCS_SCHEME + blamePublic;
			    if(sensitive->sensitive.bits.t.size > maxSize)
				return TPM_RCS_KEY_SIZE + blameSensitive;
			}
		    // If there is a nameAlg, check the binding
		    if(publicArea->nameAlg != TPM_ALG_NULL)
			{
			    TPM2B_DIGEST            compare;
			    if(sensitive->seedValue.t.size != digestSize)
				return TPM_RCS_KEY_SIZE + blameSensitive;
			    CryptComputeSymmetricUnique(publicArea, sensitive, &compare);
			    if(!MemoryEqual2B(&unique->sym.b, &compare.b))
				return TPM_RC_BINDING;
			}
		}
	    break;
	}
    // For a parent, need to check that the seedValue is the correct size for
    // protections. It should be at least half the size of the nameAlg
    if(IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, restricted)
       && IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, decrypt)
       && sensitive != NULL
       && publicArea->nameAlg != TPM_ALG_NULL)
	{
	    if((sensitive->seedValue.t.size < (digestSize / 2))
	       || (sensitive->seedValue.t.size > digestSize))
		return TPM_RCS_SIZE + blameSensitive;
	}
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.18 CryptSelectMac() */
/* This function is used to set the MAC scheme based on the key parameters and the input scheme. */
/* Error Returns Meaning */
/* TPM_RC_SCHEME the scheme is not a valid mac scheme */
/* TPM_RC_TYPE the input key is not a type that supports a mac */
/* TPM_RC_VALUE the input scheme and the key scheme are not compatible */
TPM_RC
CryptSelectMac(
	       TPMT_PUBLIC             *publicArea,
	       TPMI_ALG_MAC_SCHEME     *inMac
	       )
{
    TPM_ALG_ID              macAlg = TPM_ALG_NULL;
    switch(publicArea->type)
	{
	  case TPM_ALG_KEYEDHASH:
	      {
		  // Local value to keep lines from getting too long
		  TPMT_KEYEDHASH_SCHEME   *scheme;
		  scheme = &publicArea->parameters.keyedHashDetail.scheme;
		  // Expect that the scheme is either HMAC or NULL
		  if(scheme->scheme != TPM_ALG_NULL)
		      macAlg = scheme->details.hmac.hashAlg;
		  break;
	      }
	  case TPM_ALG_SYMCIPHER:
	      {
		  TPMT_SYM_DEF_OBJECT     *scheme;
		  scheme = &publicArea->parameters.symDetail.sym;
		  // Expect that the scheme is either valid symmetric cipher or NULL
		  if(scheme->algorithm != TPM_ALG_NULL)
		      macAlg = scheme->mode.sym;
		  break;
	      }
	  default:
	    return TPM_RCS_TYPE;
	}
    // If the input value is not TPM_ALG_NULL ...
    if(*inMac != TPM_ALG_NULL)
	{
	    // ... then either the scheme in the key must be TPM_ALG_NULL or the input
	    // value must match
	    if((macAlg != TPM_ALG_NULL) && (*inMac != macAlg))
		return TPM_RCS_VALUE;
	}
    else
	{
	    // Since the input value is TPM_ALG_NULL, then the key value can't be
	    // TPM_ALG_NULL
	    if(macAlg == TPM_ALG_NULL)
		return TPM_RCS_VALUE;
	    *inMac = macAlg;
	}
    if(!CryptMacIsValidForKey(publicArea->type, *inMac, FALSE))
	return TPM_RCS_SCHEME;
    return TPM_RC_SUCCESS;
}
/* 10.2.6.6.19 CryptMacIsValidForKey() */
/* Check to see if the key type is compatible with the mac type */
BOOL
CryptMacIsValidForKey(
		      TPM_ALG_ID          keyType,
		      TPM_ALG_ID          macAlg,
		      BOOL                flag
		      )
{
    switch(keyType)
	{
	  case TPM_ALG_KEYEDHASH:
	    return CryptHashIsValidAlg(macAlg, flag);
	    break;
	  case TPM_ALG_SYMCIPHER:
	    return CryptSmacIsValidAlg(macAlg, flag);
	    break;
	  default:
	    break;
	}
    return FALSE;
}
/* 10.2.6.6.20 CryptSmacIsValidAlg() */
/* This function is used to test if an algorithm is a supported SMAC algorithm. It needs to be
   updated as new algorithms are added. */
BOOL
CryptSmacIsValidAlg(
		    TPM_ALG_ID      alg,
		    BOOL            FLAG        // IN: Indicates if TPM_ALG_NULL is valid
		    )
{
    switch (alg)
	{
#if ALG_CMAC
	  case TPM_ALG_CMAC:
	    return TRUE;
	    break;
#endif
	  case TPM_ALG_NULL:
	    return FLAG;
	    break;
	  default:
	    return FALSE;
	}
}
/* 10.2.6.6.21 CryptSymModeIsValid() */
/* Function checks to see if an algorithm ID is a valid, symmetric block cipher mode for the TPM. If
   flag is SET, them TPM_ALG_NULL is a valid mode. not include the modes used for SMAC */
BOOL
CryptSymModeIsValid(
		    TPM_ALG_ID          mode,
		    BOOL                flag
		    )
{
    switch(mode)
	{
#if         ALG_CTR
	  case TPM_ALG_CTR:
#endif // ALG_CTR
#if         ALG_OFB
	  case TPM_ALG_OFB:
#endif // ALG_OFB
#if         ALG_CBC
	  case TPM_ALG_CBC:
#endif // ALG_CBC
#if         ALG_CFB
	  case TPM_ALG_CFB:
#endif // ALG_CFB
#if         ALG_ECB
	  case TPM_ALG_ECB:
#endif // ALG_ECB
	    return TRUE;
	  case TPM_ALG_NULL:
	    return flag;
	    break;
	  default:
	    break;
	}
    return FALSE;
}
